IlohaMail < 0.8.14-RC3 read_message.php Multiple Field HTML Injection

low Nessus Network Monitor Plugin ID 2828

Synopsis

The remote host is vulnerable to an HTML injection attack.

Description

The target is running at least one instance of IlohaMail version 0.8.14 or earlier. The remote version of this software is vulnerable to an HTML injection attack. An attacker exploiting this flaw would need to convince a local user to open a malicious HTML email. Successful exploitation would result in the victim executing potentially damaging code and possibly theft of confidential, authentication-related data.

Solution

Upgrade to version 0.8.14-RC3 or higher.

See Also

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=304525

Plugin Details

Severity: Low

ID: 2828

Family: CGI

Published: 4/14/2005

Updated: 3/6/2019

Nessus ID: 18050

Risk Information

VPR

Risk Factor: Low

Score: 2.7

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:H/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:ilohamail:ilohamail

Reference Information

CVE: CVE-2005-1120

BID: 13175